Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844077
Vincent Lefebvre, Gianni Santinelli
In this paper, we depict a new approach applicable to any types of software security solutions with the aim of regulating the protection level according to measured execution conditions. We define the inherent security requirement for this regulation and for that sake, a scalable use of Intel SGX trusted execution environment. We expose the merits of the solution assembling sustainability and security and describe a first implementation with its results and elaborate future works.
{"title":"Always-Sustainable Software Security","authors":"Vincent Lefebvre, Gianni Santinelli","doi":"10.1109/NetSoft54395.2022.9844077","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844077","url":null,"abstract":"In this paper, we depict a new approach applicable to any types of software security solutions with the aim of regulating the protection level according to measured execution conditions. We define the inherent security requirement for this regulation and for that sake, a scalable use of Intel SGX trusted execution environment. We expose the merits of the solution assembling sustainability and security and describe a first implementation with its results and elaborate future works.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"185 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121541040","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844103
K. Hattori, T. Korikawa, Chikako Takasaki, Hidenari Oowada, M. Shimizu, N. Takaya
Future network infrastructures will need to provide network services safely and rapidly under complex conditions that include accommodating many devices and multiple access lines such as 5G / 6G supported by multiple carriers. For this reason, the efficiency of the pre-verification needs to be improved for a large number of various devices to ensure safety and reliability. Furthermore, future carrier networks will support network disaggregation technologies to leverage best-of-breed technology from different suppliers in accordance with service requirements. Therefore, it is necessary to verify combinations of a large number of devices and the components constituting the network infrastructure to achieve optimal settings. In this paper, we propose the concept of network digital replica and a method of network node modeling to predict the performance of network nodes using neural-network-based machine learning. A network digital replica, which is a copy of a physical network, can be created in a digital domain not only to classify the specifications of network nodes but also to verify the performance for network devices digitally. We evaluate the effectiveness of the proposed method, which predicts the throughput and processing delays of actual routers on the basis of the sets of learning data including router settings and traffic conditions.
{"title":"Network Digital Replica using Neural-Network-based Network Node Modeling","authors":"K. Hattori, T. Korikawa, Chikako Takasaki, Hidenari Oowada, M. Shimizu, N. Takaya","doi":"10.1109/NetSoft54395.2022.9844103","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844103","url":null,"abstract":"Future network infrastructures will need to provide network services safely and rapidly under complex conditions that include accommodating many devices and multiple access lines such as 5G / 6G supported by multiple carriers. For this reason, the efficiency of the pre-verification needs to be improved for a large number of various devices to ensure safety and reliability. Furthermore, future carrier networks will support network disaggregation technologies to leverage best-of-breed technology from different suppliers in accordance with service requirements. Therefore, it is necessary to verify combinations of a large number of devices and the components constituting the network infrastructure to achieve optimal settings. In this paper, we propose the concept of network digital replica and a method of network node modeling to predict the performance of network nodes using neural-network-based machine learning. A network digital replica, which is a copy of a physical network, can be created in a digital domain not only to classify the specifications of network nodes but also to verify the performance for network devices digitally. We evaluate the effectiveness of the proposed method, which predicts the throughput and processing delays of actual routers on the basis of the sets of learning data including router settings and traffic conditions.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122752371","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844044
Md. Shamim Towhid, Nashid Shahriar
Network traffic classification is used in many applications including network provisioning, malware detection, resource management, and so on. In modern networks, use of encrypted protocols is a norm rather than an exception. Existing network traffic classification techniques fall short in working with encrypted traffic. Although deep learning based techniques have been shown to perform well in the case of encrypted traffic classification, they require an abundance of labeled data to achieve high accuracy. However, labeled data is rarely available in sufficient volumes in real network settings as they require domain experts to annotate data with labels. Therefore, in this paper, we propose a self-supervised approach that can achieve high accuracy on encrypted network traffic classification with a few labeled data. The proposed method is evaluated on three publicly available datasets. The empirical result shows that our method not only achieves high accuracy on encrypted traffic but also has the ability to apply the acquired knowledge on a different dataset. In our experiments, our method outperforms the state-of-the-art baseline methods by ~3% in terms of accuracy even with a much lower volume of labeled data.
{"title":"Encrypted Network Traffic Classification using Self-supervised Learning","authors":"Md. Shamim Towhid, Nashid Shahriar","doi":"10.1109/NetSoft54395.2022.9844044","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844044","url":null,"abstract":"Network traffic classification is used in many applications including network provisioning, malware detection, resource management, and so on. In modern networks, use of encrypted protocols is a norm rather than an exception. Existing network traffic classification techniques fall short in working with encrypted traffic. Although deep learning based techniques have been shown to perform well in the case of encrypted traffic classification, they require an abundance of labeled data to achieve high accuracy. However, labeled data is rarely available in sufficient volumes in real network settings as they require domain experts to annotate data with labels. Therefore, in this paper, we propose a self-supervised approach that can achieve high accuracy on encrypted network traffic classification with a few labeled data. The proposed method is evaluated on three publicly available datasets. The empirical result shows that our method not only achieves high accuracy on encrypted traffic but also has the ability to apply the acquired knowledge on a different dataset. In our experiments, our method outperforms the state-of-the-art baseline methods by ~3% in terms of accuracy even with a much lower volume of labeled data.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125966867","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844089
Nabhasmita Sen, A. Franklin
Network slicing is a key feature of 5G and beyond networks. Intelligent management of slices is important for reaping its highest benefits which needs further exploration. Focusing only on one goal as revenue maximization or cost minimization may not generate the highest profit for infrastructure providers in the long run. In this paper we jointly consider online admission and placement of Radio Access Network (RAN) slices with two objectives - a) maximizing revenue from accepting slices which are more profitable in the long run, and b) minimizing the cost to deploy them in Open RAN (O-RAN) enabled network by placing the slices efficiently. We formulate it as an optimization problem and propose a Deep Reinforcement Learning (DRL) based solution using Proximal Policy optimization (PPO). We compare our model with a state-of-the-art DRL based admission control solution and a greedy heuristic. We show that our proposed solution can efficiently adapt to dynamic load conditions. We also show that the proposed solution results in better performance to maximize the overall profit for infrastructure providers in comparison to the baselines.
{"title":"Intelligent Admission and Placement of O-RAN Slices Using Deep Reinforcement Learning","authors":"Nabhasmita Sen, A. Franklin","doi":"10.1109/NetSoft54395.2022.9844089","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844089","url":null,"abstract":"Network slicing is a key feature of 5G and beyond networks. Intelligent management of slices is important for reaping its highest benefits which needs further exploration. Focusing only on one goal as revenue maximization or cost minimization may not generate the highest profit for infrastructure providers in the long run. In this paper we jointly consider online admission and placement of Radio Access Network (RAN) slices with two objectives - a) maximizing revenue from accepting slices which are more profitable in the long run, and b) minimizing the cost to deploy them in Open RAN (O-RAN) enabled network by placing the slices efficiently. We formulate it as an optimization problem and propose a Deep Reinforcement Learning (DRL) based solution using Proximal Policy optimization (PPO). We compare our model with a state-of-the-art DRL based admission control solution and a greedy heuristic. We show that our proposed solution can efficiently adapt to dynamic load conditions. We also show that the proposed solution results in better performance to maximize the overall profit for infrastructure providers in comparison to the baselines.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125474358","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844083
Ziteng Zeng, Leslie Monis, Shixiong Qi, K. Ramakrishnan
Traditional network resident functions (e.g., firewalls, network address translation) and middleboxes (caches, load balancers) have moved from purpose-built appliances to software-based components. However, L2/L3 network functions (NFs) are being implemented on Network Function Virtualization (NFV) platforms that extensively exploit kernel-bypass technology. They often use DPDK for zero-copy delivery and high performance. On the other hand, L4/L7 middleboxes, which usually require full network protocol stack support, take advantage of a full-fledged kernel-based system with a greater emphasis on functionality. Thus, L2/L3 NFs and middleboxes continue to be handled by distinct platforms on different nodes.This paper proposes MiddleNet that seeks to overcome this dichotomy by developing a unified network resident function framework that supports L2/L3 NFs and L4/L7 middleboxes. MiddleNet supports function chains that are essential in both NFV and middlebox environments. MiddleNet uses DPDK for zero-copy packet delivery without interrupt-based processing, to enable the ‘bump-in-the-wire’ L2/L3 processing performance required of NFV. To support L4/L7 middlebox functionality, MiddleNet utilizes a consolidated, kernel-based protocol stack processing, avoiding a dedicated protocol stack for each function. MiddleNet fully exploits the event-driven capabilities provided by the extended Berkeley Packet Filter (eBPF) and seamlessly integrates it with shared memory for high-performance communication in L4/L7 middlebox function chains. The overheads for MiddleNet are strictly load-proportional, without needing the dedicated CPU cores of DPDK-based approaches. MiddleNet supports flow-dependent packet processing by leveraging Single Root I/O Virtualization (SR-IOV) to dynamically select packet processing needed (Layer 2 to Layer 7). Our experimental results show that MiddleNet can achieve high performance in such a unified environment.
{"title":"MiddleNet: A High-Performance, Lightweight, Unified NFV and Middlebox Framework","authors":"Ziteng Zeng, Leslie Monis, Shixiong Qi, K. Ramakrishnan","doi":"10.1109/NetSoft54395.2022.9844083","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844083","url":null,"abstract":"Traditional network resident functions (e.g., firewalls, network address translation) and middleboxes (caches, load balancers) have moved from purpose-built appliances to software-based components. However, L2/L3 network functions (NFs) are being implemented on Network Function Virtualization (NFV) platforms that extensively exploit kernel-bypass technology. They often use DPDK for zero-copy delivery and high performance. On the other hand, L4/L7 middleboxes, which usually require full network protocol stack support, take advantage of a full-fledged kernel-based system with a greater emphasis on functionality. Thus, L2/L3 NFs and middleboxes continue to be handled by distinct platforms on different nodes.This paper proposes MiddleNet that seeks to overcome this dichotomy by developing a unified network resident function framework that supports L2/L3 NFs and L4/L7 middleboxes. MiddleNet supports function chains that are essential in both NFV and middlebox environments. MiddleNet uses DPDK for zero-copy packet delivery without interrupt-based processing, to enable the ‘bump-in-the-wire’ L2/L3 processing performance required of NFV. To support L4/L7 middlebox functionality, MiddleNet utilizes a consolidated, kernel-based protocol stack processing, avoiding a dedicated protocol stack for each function. MiddleNet fully exploits the event-driven capabilities provided by the extended Berkeley Packet Filter (eBPF) and seamlessly integrates it with shared memory for high-performance communication in L4/L7 middlebox function chains. The overheads for MiddleNet are strictly load-proportional, without needing the dedicated CPU cores of DPDK-based approaches. MiddleNet supports flow-dependent packet processing by leveraging Single Root I/O Virtualization (SR-IOV) to dynamically select packet processing needed (Layer 2 to Layer 7). Our experimental results show that MiddleNet can achieve high performance in such a unified environment.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"59 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133311887","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844113
P. Casas, Michael Seufert, Sarah Wassermann, B. Gardlo, Nikolas Wehner, R. Schatz
We introduce DeepCrypt, a deep-learning based approach to analyze YouTube adaptive video streaming Quality of Experience (QoE) from the Internet Service Provider (ISP) perspective, relying exclusively on the analysis of encrypted network traffic. Using raw features derived on-line from the encrypted stream of bytes, DeepCrypt infers six different video QoE indicators capturing the user-perceived performance of the service, including the initial playback delay, the number and frequency of rebuffering events, the video playback quality and encoding bitrate, and the number of quality changes. DeepCrypt offers deep visibility into the behavior of the end-user, enabling the fingerprinting and detection of different user actions on the video player, such as video pauses and playback scrubbing (forward, backward, out-of-buffer), offering a complete visibility on the video streaming process from in-network traffic measurements. Evaluations over a large and heterogeneous dataset composed of mobile and fixed-line measurements, using the YouTube HTML5 player, the native YouTube mobile app, as well as a generic HTML5 video player built on top of open source libraries, and considering measurements collected at different ISPs, confirm the out-performance of DeepCrypt over previously used shallow-learning models, and its generalization to different video players and network setups.
{"title":"DeepCrypt - Deep Learning for QoE Monitoring and Fingerprinting of User Actions in Adaptive Video Streaming","authors":"P. Casas, Michael Seufert, Sarah Wassermann, B. Gardlo, Nikolas Wehner, R. Schatz","doi":"10.1109/NetSoft54395.2022.9844113","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844113","url":null,"abstract":"We introduce DeepCrypt, a deep-learning based approach to analyze YouTube adaptive video streaming Quality of Experience (QoE) from the Internet Service Provider (ISP) perspective, relying exclusively on the analysis of encrypted network traffic. Using raw features derived on-line from the encrypted stream of bytes, DeepCrypt infers six different video QoE indicators capturing the user-perceived performance of the service, including the initial playback delay, the number and frequency of rebuffering events, the video playback quality and encoding bitrate, and the number of quality changes. DeepCrypt offers deep visibility into the behavior of the end-user, enabling the fingerprinting and detection of different user actions on the video player, such as video pauses and playback scrubbing (forward, backward, out-of-buffer), offering a complete visibility on the video streaming process from in-network traffic measurements. Evaluations over a large and heterogeneous dataset composed of mobile and fixed-line measurements, using the YouTube HTML5 player, the native YouTube mobile app, as well as a generic HTML5 video player built on top of open source libraries, and considering measurements collected at different ISPs, confirm the out-performance of DeepCrypt over previously used shallow-learning models, and its generalization to different video players and network setups.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"16 6","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120911470","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844033
S. Tambe, Shwetha Vittal, Pratik Abhijeet Bendre, Supriya Kumari, A. Franklin
Advancements in 5G and edge computing infrastructure increase the need to deploy location-based services for mission-critical applications like Vehicle to Everything (V2X) and Intelligent Transport System (ITS). In this demonstration, we showcase the location service capabilities of our 5G Core (5GC), coupled with Multi-access Edge Computing (MEC) for delay-sensitive ultra-Reliable Low Latency Communication (uRLLC) service types like V2X and ITS. We believe that this work will guide Mobile Network Operators in building a location assistance service system for emergencies and delay-critical applications.
{"title":"Demonstration of 5G-MEC assisted Location Services for Mission Critical Applications","authors":"S. Tambe, Shwetha Vittal, Pratik Abhijeet Bendre, Supriya Kumari, A. Franklin","doi":"10.1109/NetSoft54395.2022.9844033","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844033","url":null,"abstract":"Advancements in 5G and edge computing infrastructure increase the need to deploy location-based services for mission-critical applications like Vehicle to Everything (V2X) and Intelligent Transport System (ITS). In this demonstration, we showcase the location service capabilities of our 5G Core (5GC), coupled with Multi-access Edge Computing (MEC) for delay-sensitive ultra-Reliable Low Latency Communication (uRLLC) service types like V2X and ITS. We believe that this work will guide Mobile Network Operators in building a location assistance service system for emergencies and delay-critical applications.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125254028","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844046
Kouji Natori, Kei Fujimoto, A. Shiraga
Researchers have been investigating ways to implement signal processing functionality in radio access network with software in general-purpose servers, which is called virtualized Radio Access Network (vRAN). In implementing software in vRAN servers, the performance and efficiency gap between dedicated hardware and software in a general-purpose server must be considered to save power while meeting strict latency requirements. In this paper, we design and implement a frame forwarding system for vRAN traffic to meet three requirements: (A) low latency, (B) energy efficiency, and (C) microsecond-scale responsiveness, which means that low-latency and energy-efficiency solutions are reactive and effective for a microsecond time slot in vRAN traffic. In the proposed system, a user-space thread receives frames with busy polling to achieve low latency and can sleep to reduce power consumption when no frame arrives. In addition, a polling thread in our system reduces the overhead of waking up to keep up with vRAN traffic even when it is woken up just after starting to sleep. Our experiments show the proposed system meets latency requirements at a level comparable with an existing busy polling system and can reduce the power consumption more than the existing busy polling system for most traffic.
{"title":"Low-Latency and Energy-Efficient Frame Forwarding for vRAN Traffic","authors":"Kouji Natori, Kei Fujimoto, A. Shiraga","doi":"10.1109/NetSoft54395.2022.9844046","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844046","url":null,"abstract":"Researchers have been investigating ways to implement signal processing functionality in radio access network with software in general-purpose servers, which is called virtualized Radio Access Network (vRAN). In implementing software in vRAN servers, the performance and efficiency gap between dedicated hardware and software in a general-purpose server must be considered to save power while meeting strict latency requirements. In this paper, we design and implement a frame forwarding system for vRAN traffic to meet three requirements: (A) low latency, (B) energy efficiency, and (C) microsecond-scale responsiveness, which means that low-latency and energy-efficiency solutions are reactive and effective for a microsecond time slot in vRAN traffic. In the proposed system, a user-space thread receives frames with busy polling to achieve low latency and can sleep to reduce power consumption when no frame arrives. In addition, a polling thread in our system reduces the overhead of waking up to keep up with vRAN traffic even when it is woken up just after starting to sleep. Our experiments show the proposed system meets latency requirements at a level comparable with an existing busy polling system and can reduce the power consumption more than the existing busy polling system for most traffic.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"122 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125957318","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-27DOI: 10.1109/NetSoft54395.2022.9844107
Daniel Gónzalez-Sánchez, I. D. Martinez-Casanueva, A. Pastor, Luis Bellido Triana, Cristina Pinar Muñoz Zamarro, Alejandro Antonio Moreno Sancho, David Fernández Cambronero, Diego R. López
In recent years, several research works have proposed the analysis of network flow information using machine learning in order to detect threats or anomalous activities. In this sense, NetFlow-based systems stand out as one of the main sources of network flow information. In these systems, NetFlow collectors provide the flow monitoring information to be analyzed, but the particular information structure and format provided by different collector implementations is a recurring problem. In this paper, a new YANG data model is proposed as a standard model to use NetFlow-based monitoring data. In order to validate the proposal, a NetFlow collector incorporating the proposed NetFlow YANG model has been developed, to be integrated in a network scenario in which network flows are analyzed to detect malicious cryptomining activity. This collector extends an existing one, and provides design patterns to incorporate other existing collectors into this common data model. Our results show how, by using the YANG modeling language, network flow information can be handled and aggregated in a formal and unified way that provides flexibility and facilitates data analysis applied to threat detection.
{"title":"Model-Driven Network Monitoring Using NetFlow Applied to Threat Detection","authors":"Daniel Gónzalez-Sánchez, I. D. Martinez-Casanueva, A. Pastor, Luis Bellido Triana, Cristina Pinar Muñoz Zamarro, Alejandro Antonio Moreno Sancho, David Fernández Cambronero, Diego R. López","doi":"10.1109/NetSoft54395.2022.9844107","DOIUrl":"https://doi.org/10.1109/NetSoft54395.2022.9844107","url":null,"abstract":"In recent years, several research works have proposed the analysis of network flow information using machine learning in order to detect threats or anomalous activities. In this sense, NetFlow-based systems stand out as one of the main sources of network flow information. In these systems, NetFlow collectors provide the flow monitoring information to be analyzed, but the particular information structure and format provided by different collector implementations is a recurring problem. In this paper, a new YANG data model is proposed as a standard model to use NetFlow-based monitoring data. In order to validate the proposal, a NetFlow collector incorporating the proposed NetFlow YANG model has been developed, to be integrated in a network scenario in which network flows are analyzed to detect malicious cryptomining activity. This collector extends an existing one, and provides design patterns to incorporate other existing collectors into this common data model. Our results show how, by using the YANG modeling language, network flow information can be handled and aggregated in a formal and unified way that provides flexibility and facilitates data analysis applied to threat detection.","PeriodicalId":125799,"journal":{"name":"2022 IEEE 8th International Conference on Network Softwarization (NetSoft)","volume":"9 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126109136","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: